5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.6%
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in
Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for
example, use a large amount of indentation.
Author | Note |
---|---|
ccdm94 | the embedded ujson code in pandas, eventhough containing similar content as the upstream ujson code, seems to have diverged from the ujson upstream project (they have fully forked ujson), since pandas upstream is maintaining their own ujson bug fixes and changes without re-syncing with the ujson upstream project. There is no indication the ujson fork, as used in pandas, is vulnerable to the same issues as the upstream ujson code. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 20.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 22.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 23.10 | noarch | pandas | < any | UNKNOWN |
ubuntu | 24.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 14.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 16.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 18.04 | noarch | ujson | < 1.35-2ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | ujson | < 1.35-4ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | ujson | < 5.1.0-1ubuntu0.1~esm1 | UNKNOWN |
bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
launchpad.net/bugs/cve/CVE-2021-45958
nvd.nist.gov/vuln/detail/CVE-2021-45958
security-tracker.debian.org/tracker/CVE-2021-45958
ubuntu.com/security/notices/USN-6629-1
ubuntu.com/security/notices/USN-6629-2
www.cve.org/CVERecord?id=CVE-2021-45958
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.6%